Malware analysis import os, json, time.py Malicious activity

Add for printing

File name:	import os, json, time.py
Full analysis:	https://app.any.run/tasks/7ef1232d-810e-4a99-9b70-9ec344a780ee
Verdict:	Malicious activity
Analysis date:	October 03, 2025, 18:22:16
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	python pyinstaller arch-exec
Indicators:
MIME:	text/x-script.python
File info:	Python script, ASCII text executable, with CRLF line terminators
MD5:	27514B7F191E1DE211FD7C7E3A2C658C
SHA1:	6ED4B1BC0324DD6BCEF09A70670E3D2FD8069DA5
SHA256:	D88DD100D3E8E2DDB9AEE377CC56C023FBA211BBEBBF6255318CA5CA70D7924F
SSDEEP:	48:rqmaqv09f40HA99bPjxZnv6nqYTTcsUxRQ7:Wm7v8f42oLjxZv/WAsAQ7

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (133.0.6943.127)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (133.0.3065.92)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (136.0)
Mozilla Maintenance Service (136.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
No malicious indicators.
SUSPICIOUS
- Process drops legitimate windows executable
  - oszsave.exe (PID: 1312)
  - oszsave.exe (PID: 8100)
  - oszsave.exe (PID: 9752)
- The process drops C-runtime libraries
  - oszsave.exe (PID: 1312)
  - oszsave.exe (PID: 8100)
  - oszsave.exe (PID: 9752)
- Loads Python modules
  - oszsave.exe (PID: 6480)
  - oszsave.exe (PID: 9608)
  - oszsave.exe (PID: 9772)
- Application launched itself
  - oszsave.exe (PID: 1312)
  - oszsave.exe (PID: 8100)
  - oszsave.exe (PID: 9752)
- Executable content was dropped or overwritten
  - oszsave.exe (PID: 1312)
  - oszsave.exe (PID: 8100)
  - oszsave.exe (PID: 9752)
  - selenium-manager.exe (PID: 7208)
- Process drops python dynamic module
  - oszsave.exe (PID: 1312)
  - oszsave.exe (PID: 8100)
  - oszsave.exe (PID: 9752)
- Starts CMD.EXE for commands execution
  - selenium-manager.exe (PID: 7208)
INFO
- Reads the computer name
  - oszsave.exe (PID: 1312)
  - oszsave.exe (PID: 6480)
  - oszsave.exe (PID: 9608)
  - oszsave.exe (PID: 8100)
  - oszsave.exe (PID: 9752)
  - selenium-manager.exe (PID: 7208)
  - oszsave.exe (PID: 9772)
  - chromedriver.exe (PID: 7908)
- Reads Microsoft Office registry keys
  - OpenWith.exe (PID: 572)
  - firefox.exe (PID: 7072)
  - firefox.exe (PID: 9360)
- Checks supported languages
  - oszsave.exe (PID: 1312)
  - oszsave.exe (PID: 6480)
  - oszsave.exe (PID: 9608)
  - oszsave.exe (PID: 8100)
  - oszsave.exe (PID: 9752)
  - selenium-manager.exe (PID: 7208)
  - oszsave.exe (PID: 9772)
  - chromedriver.exe (PID: 7908)
- The sample compiled with english language support
  - oszsave.exe (PID: 1312)
  - oszsave.exe (PID: 8100)
  - oszsave.exe (PID: 9752)
  - firefox.exe (PID: 9360)
- Manual execution by a user
  - oszsave.exe (PID: 1312)
  - firefox.exe (PID: 6240)
  - oszsave.exe (PID: 8100)
  - oszsave.exe (PID: 9752)
  - firefox.exe (PID: 9124)
- Create files in a temporary directory
  - oszsave.exe (PID: 1312)
  - oszsave.exe (PID: 8100)
  - oszsave.exe (PID: 9752)
  - selenium-manager.exe (PID: 7208)
  - chromedriver.exe (PID: 7908)
- Drops encrypted JS script (Microsoft Script Encoder)
  - oszsave.exe (PID: 6480)
  - oszsave.exe (PID: 9608)
  - oszsave.exe (PID: 9772)
- Checks proxy server information
  - oszsave.exe (PID: 6480)
  - slui.exe (PID: 10052)
  - oszsave.exe (PID: 9608)
  - selenium-manager.exe (PID: 7208)
  - oszsave.exe (PID: 9772)
- Application launched itself
  - firefox.exe (PID: 7072)
  - firefox.exe (PID: 6240)
  - firefox.exe (PID: 9124)
  - firefox.exe (PID: 9360)
  - chrome.exe (PID: 9876)
- PyInstaller has been detected (YARA)
  - oszsave.exe (PID: 1312)
  - oszsave.exe (PID: 6480)
  - oszsave.exe (PID: 8100)
  - oszsave.exe (PID: 9608)
  - oszsave.exe (PID: 9752)
- Reads the software policy settings
  - slui.exe (PID: 10052)
- Executable content was dropped or overwritten
  - firefox.exe (PID: 9360)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

248

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

464

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5556 -prefsLen 39120 -prefMapHandle 5560 -prefMapSize 273089 -jsInitHandle 5564 -jsInitLen 247456 -parentBuildID 20250227124745 -ipcHandle 5460 -initialChannelId {1007592a-47af-4b5f-829e-d481e0a39039} -parentPid 9360 -crashReporter "\\.\pipe\gecko-crash-server-pipe.9360" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 9 tab

C:\Program Files\Mozilla Firefox\firefox.exe

—

firefox.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

MEDIUM

Description:

Firefox

Version:

136.0

Modules

Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\vcruntime140.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\vcruntime140_1.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\bcrypt.dll

572

"C:\WINDOWS\System32\OpenWith.exe" "C:\Users\admin\AppData\Local\Temp\import os, json, time.py"

C:\Windows\System32\OpenWith.exe

—

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Pick an app

Exit code:

2147943623

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\openwith.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll

1312

"C:\Users\admin\Desktop\oszsave.exe"

C:\Users\admin\Desktop\oszsave.exe

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

Modules

Images
c:\users\admin\desktop\oszsave.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll

1524

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --string-annotations --noerrdialogs --user-agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36" --user-data-dir="C:\Users\admin\AppData\Local\Temp\scoped_dir7908_836643232" --field-trial-handle=5388,i,4773716901351334924,9515672304833358210,262144 --disable-features=PaintHolding --variations-seed-version --enable-logging=handle --log-file=5308 --log-level=0 --mojo-platform-channel-handle=5380 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

MEDIUM

Description:

Google Chrome

Exit code:

Version:

133.0.6943.127

Modules

Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll

1880

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

selenium-manager.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

2000

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

oszsave.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

2000

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --string-annotations --noerrdialogs --user-agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36" --user-data-dir="C:\Users\admin\AppData\Local\Temp\scoped_dir7908_836643232" --field-trial-handle=5600,i,4773716901351334924,9515672304833358210,262144 --disable-features=PaintHolding --variations-seed-version --enable-logging=handle --log-file=5660 --log-level=0 --mojo-platform-channel-handle=3396 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

LOW

Description:

Google Chrome

Exit code:

Version:

133.0.6943.127

Modules

Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\133.0.6943.127\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll

2280

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 4300 -prefsLen 39120 -prefMapHandle 4520 -prefMapSize 273089 -jsInitHandle 3688 -jsInitLen 247456 -parentBuildID 20250227124745 -ipcHandle 3672 -initialChannelId {ca072228-bf00-42b4-a350-5bf2d53f5003} -parentPid 9360 -crashReporter "\\.\pipe\gecko-crash-server-pipe.9360" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 8 tab

C:\Program Files\Mozilla Firefox\firefox.exe

—

firefox.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

MEDIUM

Description:

Firefox

Exit code:

Version:

136.0

Modules

Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\vcruntime140_1.dll
c:\windows\system32\vcruntime140.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\bcrypt.dll

2344

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --string-annotations --noerrdialogs --user-agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36" --user-data-dir="C:\Users\admin\AppData\Local\Temp\scoped_dir7908_836643232" --field-trial-handle=5912,i,4773716901351334924,9515672304833358210,262144 --disable-features=PaintHolding --variations-seed-version --enable-logging=handle --log-file=5920 --log-level=0 --mojo-platform-channel-handle=5804 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

LOW

Description:

Google Chrome

Exit code:

Version:

133.0.6943.127

Modules

Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\133.0.6943.127\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll

2416

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 4100 -prefsLen 45014 -prefMapHandle 4104 -prefMapSize 273089 -jsInitHandle 4108 -jsInitLen 247456 -parentBuildID 20250227124745 -ipcHandle 4116 -initialChannelId {35f2c434-f731-4680-9600-be5fe4b9bfef} -parentPid 9360 -crashReporter "\\.\pipe\gecko-crash-server-pipe.9360" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 5 tab

C:\Program Files\Mozilla Firefox\firefox.exe

—

firefox.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

MEDIUM

Description:

Firefox

Version:

136.0

Modules

Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
c:\windows\system32\vcruntime140_1.dll
c:\windows\system32\bcrypt.dll

Add for printing

Total events

43 046

Read events

43 034

Write events

Delete events

Modification events


(PID) Process:	(572) OpenWith.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\3c\52C64B7E
Operation:	write	Name:	@C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\oregres.dll,-205
Value: Word
(PID) Process:	(572) OpenWith.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\3c\52C64B7E
Operation:	write	Name:	@wmploc.dll,-102
Value: Windows Media Player
(PID) Process:	(7072) firefox.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\DllPrefetchExperiment
Operation:	write	Name:	C:\Program Files\Mozilla Firefox\firefox.exe
Value: 0
(PID) Process:	(9360) firefox.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\DllPrefetchExperiment
Operation:	write	Name:	C:\Program Files\Mozilla Firefox\firefox.exe
Value: 0
(PID) Process:	(9876) chrome.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\StabilityMetrics
Operation:	write	Name:	user_experience_metrics.stability.exited_cleanly
Value: 0
(PID) Process:	(9876) chrome.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Google\Update\ClientStateMedium\{8A69D345-D564-463C-AFF1-A69D9E530F96}
Operation:	write	Name:	usagestats
Value: 0
(PID) Process:	(9876) chrome.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\PreferenceMACs\Default\extensions.settings
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(9876) chrome.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:	write	Name:	failed_count
Value: 0
(PID) Process:	(9876) chrome.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:	write	Name:	state
Value: 2
(PID) Process:	(9876) chrome.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:	write	Name:	state
Value: 1

Add for printing

Executable files

Suspicious files

583

Text files

135

Unknown types

Dropped files

PID	Process	Filename		Type
1312	oszsave.exe	C:\Users\admin\AppData\Local\Temp\_MEI13122\VCRUNTIME140_1.dll		executable
		MD5:68156F41AE9A04D89BB6625A5CD222D4	SHA256:82A2F9AE1E6146AE3CB0F4BC5A62B7227E0384209D9B1AEF86BBCC105912F7CD
1312	oszsave.exe	C:\Users\admin\AppData\Local\Temp\_MEI13122\_bz2.pyd		executable
		MD5:057325E89B4DB46E6B18A52D1A691CAA	SHA256:5BA872CAA7FCEE0F4FB81C6E0201CEED9BD92A3624F16828DD316144D292A869
1312	oszsave.exe	C:\Users\admin\AppData\Local\Temp\_MEI13122\VCRUNTIME140.dll		executable
		MD5:862F820C3251E4CA6FC0AC00E4092239	SHA256:36585912E5EAF83BA9FEA0631534F690CCDC2D7BA91537166FE53E56C221E153
1312	oszsave.exe	C:\Users\admin\AppData\Local\Temp\_MEI13122\_ctypes.pyd		executable
		MD5:2185849BC0423F6641EE30804F475478	SHA256:199CD8D7DB743C316771EF7BBF414BA9A9CDAE1F974E90DA6103563B2023538D
1312	oszsave.exe	C:\Users\admin\AppData\Local\Temp\_MEI13122\_cffi_backend.cp313-win_amd64.pyd		executable
		MD5:5CBA92E7C00D09A55F5CBADC8D16CD26	SHA256:0E3D149B91FC7DC3367AB94620A5E13AF6E419F423B31D4800C381468CB8AD85
1312	oszsave.exe	C:\Users\admin\AppData\Local\Temp\_MEI13122\_hashlib.pyd		executable
		MD5:CF4120BAD9A7F77993DD7A95568D83D7	SHA256:14765E83996FE6D50AEDC11BB41D7C427A3E846A6A6293A4A46F7EA7E3F14148
1312	oszsave.exe	C:\Users\admin\AppData\Local\Temp\_MEI13122\_asyncio.pyd		executable
		MD5:70DEC3CE00E5CAF45246736B53EA3AD0	SHA256:8CEF0CD8333F88A9F9E52FA0D151B5F661D452EFBCFC507DC28A46259B82596C
1312	oszsave.exe	C:\Users\admin\AppData\Local\Temp\_MEI13122\_curses.cp313-win_amd64.pyd		executable
		MD5:94FF8CCD340074CAAC7ED263D933D86E	SHA256:AC58644674C5DF6D9E4140718A38E8E81751D0368F5C53B909BBEEB03F39B9FF
1312	oszsave.exe	C:\Users\admin\AppData\Local\Temp\_MEI13122\_decimal.pyd		executable
		MD5:F465C15E7BACEAC920DC58A5FB922C1C	SHA256:F4A486A0CA6A53659159A404614C7E7EDCCB6BFBCDEB844F6CEE544436A826CB
1312	oszsave.exe	C:\Users\admin\AppData\Local\Temp\_MEI13122\selenium\webdriver\common\linux\selenium-manager		—
		MD5:—	SHA256:—

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

252

DNS requests

276

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
4392	svchost.exe	GET	200	23.54.109.203:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	DE	binary	471 b	whitelisted
4392	svchost.exe	GET	200	23.54.109.203:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	DE	binary	471 b	whitelisted
2756	backgroundTaskHost.exe	GET	200	23.54.109.203:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	DE	binary	471 b	whitelisted
4180	backgroundTaskHost.exe	GET	200	23.54.109.203:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	DE	binary	471 b	whitelisted
7072	firefox.exe	GET	200	34.107.221.82:80	http://detectportal.firefox.com/canonical.html	US	text	90 b	whitelisted
7072	firefox.exe	POST	200	142.250.184.195:80	http://o.pki.goog/we2	US	binary	279 b	whitelisted
7072	firefox.exe	GET	200	34.107.221.82:80	http://detectportal.firefox.com/success.txt?ipv4	US	text	8 b	whitelisted
7072	firefox.exe	POST	—	142.250.184.195:80	http://o.pki.goog/s/wr3/W6c	US	—	—	whitelisted
7072	firefox.exe	GET	200	34.107.221.82:80	http://detectportal.firefox.com/success.txt?ipv4	US	text	8 b	whitelisted
7072	firefox.exe	POST	200	142.250.184.195:80	http://o.pki.goog/wr2	US	binary	471 b	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
6332	RUXIMICS.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
6016	MoUsoCoreWorker.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5224	SearchApp.exe	2.21.22.144:443	www.bing.com	Akamai International B.V.	CH	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
4392	svchost.exe	20.190.160.131:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4392	svchost.exe	23.54.109.203:80	ocsp.digicert.com	AKAMAI-AS	DE	whitelisted
3572	backgroundTaskHost.exe	2.21.22.144:443	www.bing.com	Akamai International B.V.	CH	whitelisted
3572	backgroundTaskHost.exe	23.54.109.203:80	ocsp.digicert.com	AKAMAI-AS	DE	whitelisted
3464	svchost.exe	172.211.123.249:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	FR	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	4.231.128.59 40.127.240.158	whitelisted
www.bing.com	2.21.22.144 2.21.22.131	whitelisted
google.com	142.250.184.238	whitelisted
login.live.com	20.190.160.131 40.126.32.140 20.190.160.65 20.190.160.17 40.126.32.74 40.126.32.138 40.126.32.72 40.126.32.133	whitelisted
ocsp.digicert.com	23.54.109.203 162.159.142.9 172.66.2.5	whitelisted
client.wns.windows.com	172.211.123.249 172.211.123.250	whitelisted
arc.msn.com	20.199.58.43 20.31.169.57	whitelisted
fd.api.iris.microsoft.com	20.105.99.58	whitelisted
api.github.com	140.82.121.5	whitelisted
content-signature-2.cdn.mozilla.net	34.160.144.191	whitelisted

Threats

PID	Process	Class	Message
—	—	Unknown Traffic	ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
9848	chrome.exe	Generic Protocol Command Decode	SURICATA QUIC failed decrypt
9848	chrome.exe	Generic Protocol Command Decode	SURICATA QUIC failed decrypt
9848	chrome.exe	Generic Protocol Command Decode	SURICATA QUIC failed decrypt
9848	chrome.exe	Generic Protocol Command Decode	SURICATA QUIC failed decrypt
9848	chrome.exe	Generic Protocol Command Decode	SURICATA QUIC failed decrypt
9848	chrome.exe	Generic Protocol Command Decode	SURICATA QUIC failed decrypt
9848	chrome.exe	Generic Protocol Command Decode	SURICATA QUIC failed decrypt
9848	chrome.exe	Generic Protocol Command Decode	SURICATA QUIC failed decrypt
9848	chrome.exe	Generic Protocol Command Decode	SURICATA QUIC failed decrypt

Add for printing

Process	Message
chrome.exe	RecursiveDirectoryCreate( C:\Users\admin\AppData\Local\Temp\scoped_dir7908_836643232 directory exists )

General Info

import os, json, time.py

27514B7F191E1DE211FD7C7E3A2C658C

6ED4B1BC0324DD6BCEF09A70670E3D2FD8069DA5

D88DD100D3E8E2DDB9AEE377CC56C023FBA211BBEBBF6255318CA5CA70D7924F

48:rqmaqv09f40HA99bPjxZnv6nqYTTcsUxRQ7:Wm7v8f42oLjxZv/WAsAQ7

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

SUSPICIOUS

Process drops legitimate windows executable

The process drops C-runtime libraries

Loads Python modules

Application launched itself

Executable content was dropped or overwritten

Process drops python dynamic module

Starts CMD.EXE for commands execution

INFO

Reads the computer name

Reads Microsoft Office registry keys

Checks supported languages

The sample compiled with english language support

Manual execution by a user

Create files in a temporary directory

Drops encrypted JS script (Microsoft Script Encoder)

Checks proxy server information

Application launched itself

PyInstaller has been detected (YARA)

Reads the software policy settings

Executable content was dropped or overwritten

Malware configuration

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings